Adversaries may be using ClearFake IOCs to exfiltrate data or establish command and control, leveraging compromised credentials to move laterally within the network. Proactively hunting for these IOCs in Azure Sentinel enables early detection of advanced persistent threats and mitigates potential data breaches.
IOC Summary
Malware Family: ClearFake Total IOCs: 184 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | aligalpha.mongofixcore.lat | payload_delivery | 2026-05-10 | 100% |
| domain | dynmarkal.codeflux.lat | payload_delivery | 2026-05-10 | 100% |
| domain | kelven7or.mongofixcore.lat | payload_delivery | 2026-05-10 | 100% |
| domain | cryptovault.codeflux.lat | payload_delivery | 2026-05-10 | 100% |
| domain | pway7.mongofixcore.lat | payload_delivery | 2026-05-10 | 100% |
| domain | zirviss9.codeflux.lat | payload_delivery | 2026-05-10 | 100% |
| domain | 5tone-mesh.mongofixcore.lat | payload_delivery | 2026-05-10 | 100% |
| domain | queu-scan.codeflux.lat | payload_delivery | 2026-05-10 | 100% |
| domain | gentletide.setqueueat.lat | payload_delivery | 2026-05-10 | 100% |
| domain | lvbj1i51.codeflux.lat | payload_delivery | 2026-05-10 | 100% |
| domain | bloom7-hinge.setqueueat.lat | payload_delivery | 2026-05-10 | 100% |
| domain | shipdem.lipshellcore.lat | payload_delivery | 2026-05-10 | 100% |
| domain | si1e-branch.setqueueat.lat | payload_delivery | 2026-05-10 | 100% |
| domain | script1-gate.lipshellcore.lat | payload_delivery | 2026-05-10 | 100% |
| domain | oakbalancer.setqueueat.lat | payload_delivery | 2026-05-10 | 100% |
| domain | boosmars.lipshellcore.lat | payload_delivery | 2026-05-10 | 100% |
| domain | anchorfreigh.setqueueat.lat | payload_delivery | 2026-05-10 | 100% |
| domain | 98ykbe5.lipshellcore.lat | payload_delivery | 2026-05-10 | 100% |
| domain | solspireex3.queuedimsys.lat | payload_delivery | 2026-05-10 | 100% |
| domain | quer-graph.lipshellcore.lat | payload_delivery | 2026-05-10 | 100% |
| domain | assetprotect.queuedimsys.lat | payload_delivery | 2026-05-10 | 100% |
| domain | r3age8-index.lipshellcore.lat | payload_delivery | 2026-05-10 | 100% |
| domain | sub-vit4.queuedimsys.lat | payload_delivery | 2026-05-10 | 100% |
| domain | casual-trail.mixzipcore64.lat | payload_delivery | 2026-05-10 | 100% |
| domain | arktide8ex.queuedimsys.lat | payload_delivery | 2026-05-10 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["aligalpha.mongofixcore.lat", "dynmarkal.codeflux.lat", "kelven7or.mongofixcore.lat", "cryptovault.codeflux.lat", "pway7.mongofixcore.lat", "zirviss9.codeflux.lat", "5tone-mesh.mongofixcore.lat", "queu-scan.codeflux.lat", "gentletide.setqueueat.lat", "lvbj1i51.codeflux.lat", "bloom7-hinge.setqueueat.lat", "shipdem.lipshellcore.lat", "si1e-branch.setqueueat.lat", "script1-gate.lipshellcore.lat", "oakbalancer.setqueueat.lat", "boosmars.lipshellcore.lat", "anchorfreigh.setqueueat.lat", "98ykbe5.lipshellcore.lat", "solspireex3.queuedimsys.lat", "quer-graph.lipshellcore.lat", "assetprotect.queuedimsys.lat", "r3age8-index.lipshellcore.lat", "sub-vit4.queuedimsys.lat", "casual-trail.mixzipcore64.lat", "arktide8ex.queuedimsys.lat", "warmhar.mixzipcore64.lat", "209id.queuedimsys.lat", "not1fie-mesh.mixzipcore64.lat", "rainstudio.userssawtone.lat", "bandwid-route.mixzipcore64.lat", "talnex5on.userssawtone.lat", "granitebroad.mixzipcore64.lat", "granitebroad.mixzipcore64.lat", "gxyuad.userssawtone.lat", "tide6-well.mixzipcore64.lat", "mervaleet.userssawtone.lat", "cry5t4-stream.wetshardauth.lat", "gr1m-mark.userssawtone.lat", "quormark2et.wetshardauth.lat", "channe-grid.wetshardauth.lat", "optwebnode.softnetworkset.pics", "5pr0-span.wetshardauth.lat", "usrgrpstat.softnetworkset.pics", "banb3.wetshardauth.lat", "vmlistview.softnetworkset.pics", "honestshape.wetshardauth.lat", "sshproserv.softnetworkset.pics", "vel-fluxix.didoprotecauth.lat", "tcpconpath.softnetworkset.pics", "sens-ring.didoprotecauth.lat"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using ClearFake-related tools
Description: A system update or patching process may include tools or scripts that match ClearFake IOCs, such as clearfake.exe or related command-line utilities.
Filter/Exclusion: Check for processes initiated by a known patching tool (e.g., Windows Update, WSUS, or SCCM) or within a known update window.
Scenario: Scheduled job for log cleanup or data sanitization
Description: A scheduled task may use a script or tool that matches ClearFake IOCs, such as clearfake_cleaner.bat, to perform routine log or data cleanup.
Filter/Exclusion: Filter by process name or command-line arguments that include keywords like cleanup, sanitize, or logrotate.
Scenario: Admin task using ClearFake for internal testing
Description: An administrator may use a tool like ClearFake for internal security testing or red team exercises.
Filter/Exclusion: Exclude processes initiated by admin accounts with elevated privileges (e.g., Administrator, SYSTEM) or those running from a known test environment path.
Scenario: False positive from a third-party security tool
Description: A third-party security tool or EDR may include ClearFake IOCs in its own binaries or scripts, leading to a false positive.
Filter/Exclusion: Exclude processes that match the known third-party tool names (e.g., CrowdStrike, SentinelOne, Microsoft Defender) or are signed by their respective vendors.
Scenario: Legitimate use of ClearFake in a sandboxed environment
Description: A sandbox or analysis environment may run ClearFake-related tools for malware analysis, leading to a false positive.
Filter/Exclusion: Exclude processes running from a sandboxed directory (e